topic Re: Not substituted certificate in browser Https Inspection in Firewall and Security Management

Not substituted certificate in browser Https Inspection

Herman — Thu, 24 Jun 2021 11:32:01 GMT

Hello everyone!

I have Gaia R80.40 distributed deployment (management + clusterXL). I trying enable Https inspection the other day, created self-signed certificate, install this in "trusted root authorities" in Windows machine, but when i open any https site, certificate not substituted in browser.

Please tell me why this can happen?

With Regards, Herman

Re: Not substituted certificate in browser Https Inspection

Wolfgang — Thu, 24 Jun 2021 12:01:40 GMT

@Herman

have you defined some HTTPS inspection rules ?

Re: Not substituted certificate in browser Https Inspection

Herman — Thu, 24 Jun 2021 12:09:32 GMT

@Wolfgang
only default predefined rule

Re: Not substituted certificate in browser Https Inspection

Alex- — Thu, 24 Jun 2021 14:35:53 GMT

Did you install the policy after enabling HTTPS Inspection in the FW object? 🙂

Re: Not substituted certificate in browser Https Inspection

Herman — Thu, 24 Jun 2021 14:48:18 GMT

I'm new in checkpoint environment 😁, but if you mean it (see screenshot) then yes

Re: Not substituted certificate in browser Https Inspection

Benedikt_Weissl — Thu, 24 Jun 2021 15:36:29 GMT

Do you use the gateway as a proxy or transparent proxy? Is the gateway inline en route to the internet? I think the object "Internet" is based on the topology, is your topology correct (edit cluster -> network management -> the interface leading to the WAN should be marked as external) ?

You can set your ssl inspect rule to "log" and create another rule like this below it "Source: any Destination:any Service:any Action:bypass Track:log".

Re: Not substituted certificate in browser Https Inspection

Herman — Thu, 24 Jun 2021 18:42:58 GMT

No proxy not used, if i right you understand

Yes, gateway inline en route to the internet. Checked Network topology, and External interface set as External zone (it's has not been mark as External zone), install policy, but it's did not affect

Not sure that right understand, but create bypass "test rule" and enable log tracking:

And now in logs & monitor tab if set filter as HTTPS Inspection may be view this:

But unfortunately certificate not substituted after that
--------
PS English is not my native language, so please be kind to my mistakes )))

Re: Not substituted certificate in browser Https Inspection

Benedikt_Weissl — Thu, 24 Jun 2021 18:29:33 GMT

You might wanna redact the public IPs next time and don't worry about your english 🙂 Your Interface names look strange to me, do they match the names as configured on the gateway OS? Can you switch the HTTPS Inspection rules around?

Re: Not substituted certificate in browser Https Inspection

Wolfgang — Thu, 24 Jun 2021 18:47:24 GMT

This looks good. HTTPS inspection catches the traffic, but it‘s bypassed regarding your rule. Something with defining the „internet“ as destination in your second rule does work like you want. Have a look at @Danny great post Properly defining the Internet within a security policy

You can try to define another rule first with your client as source and destination any with action „inspect“ to see if this connection will be intercepted.

Re: Not substituted certificate in browser Https Inspection

Herman — Thu, 24 Jun 2021 19:08:12 GMT

In gateway OS interface have this names, they don't match with names in SmartConsole:

With inspections rules, i try some experiments

Re: Not substituted certificate in browser Https Inspection

Herman — Thu, 24 Jun 2021 19:18:27 GMT

I'm try to define first rule with destination any instead "Internet" for my client machine, but in logs not showing record with "inspect" action for Https inspection. Of course 😀 after create rule and install policy, tried to open some https sites in Chrome

Re: Not substituted certificate in browser Https Inspection

PhoneBoy — Thu, 24 Jun 2021 22:42:21 GMT

By the way, your last rule in the HTTPS Inspection policy should be any any bypass.
Without that, you very likely will have performance issues

Re: Not substituted certificate in browser Https Inspection

the_rock — Fri, 25 Jun 2021 01:46:08 GMT

I know this may sound like a silly question, but did you make sure that windows machine is actually going through CP firewall? If you do tcpdump -nni host x.x.x.x (with x.x.x.x as windows machine IP address), what do you see? Have you tried another machine or just one? From screenshots you pasted, config looks okay to me.

Re: Not substituted certificate in browser Https Inspection

Alex- — Fri, 25 Jun 2021 06:02:20 GMT

It's another topic but to me in newer versions of the Smart Console it should be the default behaviour with a warning message if it doesn't exist, similar to the message if an inline layer is missing a cleanup rule. It doesn't make sense to have Tech Talks explaining that it's best practices to have any/any/bypass to prevent performance issues due to undefined sessions and have the system out of the box doing the exact opposite, causing issues to unsuspecting customers.

Re: Not substituted certificate in browser Https Inspection

the_rock — Fri, 25 Jun 2021 12:12:11 GMT

Agree cold heartedly.

Re: Not substituted certificate in browser Https Inspection

Herman — Tue, 29 Jun 2021 07:25:06 GMT

Hello everyone!
I fixed this, just add new layer with Application & URL filtering blade in Access Control Policy. Than added three rules and it's work fine

Re: Not substituted certificate in browser Https Inspection

Simo-94 — Sat, 06 Jul 2024 15:58:22 GMT

I have tried all of this stuff but I still cannot figure out by the https inspection is not inspecting. it shows bypassing logs but no inspection logs

Re: Not substituted certificate in browser Https Inspection

the_rock — Sat, 06 Jul 2024 16:05:44 GMT

See if my post below helps, if not, we can do remote. I have perfectly working ssl inspection lab.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139

Re: Not substituted certificate in browser Https Inspection

Simo-94 — Sun, 07 Jul 2024 14:53:17 GMT

hi Andy, Thank you very much for you help. yes a remote session would be very helpful. here is what I did to configure https inspection and let me know if there something that I missed :

I tried in my lab it does not seem to "inspect" traffic. when I set the https policy to inspect I do not see any logs of inspection but when I set it to bypass I see the logs of bypassing.

1. I enbaled application and url filtering blade
2. enabled https inspection. created the certificate and exported it and isntalled it on the client machine. I checked the browser certificate repository to make sure taht the certificate was installed and it was.
3. enabled the application and url filtering on the access policy
4. set the https policy to any any inspect and log
5. installed access policy

when I visit https website and I try to check the logs to see the inspection, I don't see anything. and on the browser when I click to which certificate is being used I don't see the one that I created.

Re: Not substituted certificate in browser Https Inspection

the_rock — Sun, 07 Jul 2024 14:55:51 GMT

Just came back from long bike ride, saw your update 🙂

Anyway, since Im on call with work for this and next weekend, I usually do some labs on Sundays anyway, so let me know, happy to do remote and help you.

Just message me directly, we can do zoom. I have my private gmail one, as my company uses teams, but its good for 40 mins and if we need another one, we just wait 10 mins and "fire up" next session.

Let me know.

Best,

Andy